Today
Possibly, we can use new GCC option: -ftrivial-auto-var-init=0xFEFEFEFE.
https://gcc.gnu.org/gcc-12/changes.html#uninitialized
The bug was there when it was initially written. It was in 2003, which introduced PC/SC in rG1bcf8ef9dea1: Cleanups, fixes and PC/SC support
When compiling the package, I can see that all 4 are applied.
Yesterday
I think that it means that you only applied the last two patches.
Thanks again for your update.
Sat, May 14
I just wrote a blog article about this problem
https://ludovicrousseau.blogspot.com/2022/05/scardlistreaders-and-non-initialized.html
Fri, May 13
Thanks for opening a ticket.
Thanks a lot for your cooperation.
I put more fix for error handling of key algorithm attribute.
The change: rG53eddf9b9ea0: scd: Fail when no good algorithm attribute.
Thanks a lot for your cooperation.
Thu, May 12
Contrary to your expectations, all gpg --card-status fail after yubikey insertion:
Please do experiment again and give us the whole log of scdaemon.log for:
- insert Yubikey initially
- run gpg --card-status (success is expected)
- remove Yubikey
- insert Yubikey second time
- run gpg --card-status (failure is expected)
In case you need any information, be sure to tell me. Maybe we can add some manual loggers to the patches, to confirm that everything is working as you imagine it to?
Umm... The problem is the last bogus octet from Yubikey. In the log, we see:
Wed, May 11
I'm certain I've applied the patches correctly. This is my current patchset:
The change improve error handling for possible other errors by device: rG53eddf9b9ea0: scd: Fail when no good algorithm attribute.
Thank you for the logs. It seems that scdaemon didn't detect the removal correctly.
Tue, May 10
I've uploaded the requested information with triple verbose and debug-all setting in the scdaemon.conf as scdaemon.log.
Applied to 2.2 branch, too.
I examined all log files you gave us, and I think that scdaemon with PC/SC fails to detect the removal of the USB device.
Mon, May 9
I've applied the linked patch, but still experience the error. Most of the times, I cannot access my yubikey at all and I am not sure what is blocking it.
I've tried to include as much debugging output as I could below. Please let me know if there is anything else I can do to debug this.
The patch rG054d14887ef8: scd: Add workaround for ECC attribute on Yubikey. fixes a particular problem of Yubikey implementation where it returns bogus octet for its data object of C1, C2, and C3.
Fri, May 6
With the patch and after starting a new gpg-agent, gpg --card-status now works immediately.
But when I re-plug the yubikey, gpg reports gpg: OpenPGP card not available: Card error until either gpg-agent is restarted, or pcscd is restarted.
pcsc-lite in debug mode reports no errors, but one log is obviously much shorter as gpg fails early (I've attached both).
I pushed a workaround.
Mon, May 2
KexAlgorithms -sntrup761x25519-sha512@openssh.com
Thu, Apr 28
FWIW, your comments about the autostart script do not match with the running processes. Obviously, the autostart script starts gpg-agent with different command line options than the running process. My conclusion is that the autostart script isn't used. Or maybe it is started, but gpg-agent immediately terminates because it notices that another instance is already running.
If you add an autostart script then you may have to add a corresponding shutdown script as well, e.g. a script running gpgconf --kill all. You cannot expect that daemons, that you start via an autostart script, magically know when they should terminate.
Thank you for the hints!
Thank you for the explanation. (It's not related to --supervised, I suppose.)
Wed, Apr 27
I see the following GPG-related commands running currently (with disable-scdaemon in config file):
The issues mentioned in the previous comment have been fixed.
I had a look at the file system watcher we use to react on changes in the GnuPG home directory. It doesn't watch the private keys living in private-keys-v1.d. Moreover, it does not handle the removal of files properly.
Tue, Apr 26
My Yubikey (Yubico.com Yubikey 4/5 OTP+U2F+CCID) works fine with OpenSSH using kex of sntrup761x25519-sha512@openssh.com.
Mon, Apr 25
Please contact the Debian developers for any systemd/gnupg issues. We don't suggest the use of the --supervised option because it causes more problems than it claims to solve.
Sorry, I was confused. For RSA-4096, data is hashed by gpg-agent and hashed data is signed by a card.
We are using rsa-4096 on smartcard for quite some time; so I wonder what's the problem here. Is that that we don't use our Assuan hack for large key material with OpenPGP.3?
There is another case: RSA-4096 key. scdaemon rejects data by Invalid value. Unfortunately, there is no fix for this, as it's really too large. Even if scdaemon allows larger data, the card implementation rejects, when it conforms to PKCS #1 standard (data should not be larger than 40% of the modulus).